The Power of Security Awareness
23 October 2013





Security awareness is one aspect of security that I often see overlooked, and more specifically not prioritised. What is it that makes intelligent business leaders fail to see the business benefit of security awareness. Many security professionals also show little enthusiasm for security awareness and instead focus on expensive shiny security appliances and managed services. Is it just a careers worth of enterprise conditioning that leads many to think that fundamental security awareness cannot possibly offer significant security protection and business benefits. Or, maybe it's because there are no sales representatives to have meetings with. Whatever the reason, in my experience security awareness is massively overlooked and its impact and effectiveness is seriously underestimated.

Predicting the future of technology is not a wise thing to do. I may be taking a bit of a risk here but I am going to predict one aspect of the future of enterprise security. I predict that in the future, IT security awareness will be widely considered the most significant factor in an enterprise security strategy.

Let me tell you why I predict this. Around thirty years ago there was a woman who lived in the street where I lived. She used to collect all of her empty glass bottles and take them to one of few bottle recycling points around at the time. Very few people recycled anything thirty years ago. Afterall why would you recycle glass bottles! Looking back on this, maybe she knew something most of us weren't aware of at the time. Maybe she knew that it was not good to send glass to landfill. Maybe she was aware of the impact on the environment. So, what's this got to do with security awareness. It actually has a lot to do with my point about awareness. Consumers now consider the 'green' aspect of the purchases they make. Large enterprises more than often make statements about their 'green' credentials. Why? Because consumers are looking for those green credentials. Likewise consumers now care about data security and privacy and in future will shop accordingly. I predict that the real security credentials of a business will become one of the primary factors in a customers criteria for selecting a product or using the services of a business.

Consumers are becoming more and more concerned with their privacy and how effectively businesses protect and secure their personal data. Simply making a statement at the bottom of a company website about how secure customer data is or linking to a privacy statement won't be enough in future. In the future, consumers will want to see evidence. Consumer websites may even display league tables of how secure businesses really are based on their incident and exposure record.

There is a fundamental difference between my analogy of the woman recycling bottles thirty years before mainstream consumers actually became concerned about it. The difference is that businesses and enterprise could simply purchase whatever they needed to hit their green credential statements. Unfortunately business and enterprise cannot simply turn on security overnight. No amount of money can purchase security overnight. Security cannot be bought because in future the primary aspect of an enterprises security posture will be the level security awareness of its employees and not shiny boxes or managed services it deploys. Security awareness cannot be bought because it is cultural. There is no magical security awareness campaign that will provide employees with instant, or indeed short term, the awareness they will need to protect the business they work for.

Security awareness is a mindset based on long term acquired knowledge of the risks and understanding of the impact of an individuals actions. Security awareness is analogous to many of the dangers and risks we are aware of in our day to day lives. For example, we know how to cross a road safely, we know the minimum we need to do to protect our homes. We are aware of the dangers to our children, we do not just one day read a book or watch a video to gain awareness of life's day-to-day risks. Our awareness of how to live life safely and securely is acquired over many years. Our understanding of the risks in life are built up slowly a little bit at a time and we probably didn't realise it was happening. Security awareness is exactly the same. Fundamental aspects of security awareness need to be consistently drip fed to employees over the long term. The optimum security awareness strategy should be that employees are not even aware that they are actually being made aware of security risks.

Business and enterprise need to realise that a token security awareness course for employees does very little to develop security awareness. It merely ticks a box. If businesses want to be secure, and in future deliver the levels of security and privacy consumers will demand, then they must prioritise security awareness and get serious about it. The business winners in future will be those business that start their long term strategic security awareness programme now and plan to make it part of the DNA of their business and the people that work for them. It may take 10 years to develop a mature security aware workforce but it will give an enterprise the competitive edge.

One thing is for sure, the latest 'super security' appliances or 'best in class' managed security services are becoming less significant in building a robust enterprise security posture. Security awareness will become the significant factor, specifically security culture and this isn't something money can buy!

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution